1. Purpose and scope
This DPA applies to the extent that TrueFitCV.ai processes personal data for Customer as a processor in connection with the Services
This DPA supplements the Terms of Service and any Order Form. If there is any conflict relating to personal data processing, this DPA prevails over the Terms to the extent of that conflict.
This DPA does not apply to processing activities for which TrueFitCV.ai acts as controller, including account administration, billing, service security, fraud prevention, abuse monitoring, business communications, and its own legal and regulatory compliance.
2. Roles of the parties
The parties acknowledge that, for Customer recruitment data processed through the Services, Customer is generally the controller and TrueFitCV.ai is generally the processor.
Customer may be an employer, recruitment agency, or HR / recruitment technology partner acting in its own capacity as controller or, where applicable, as a controller in a chain of recruitment processing.
TrueFitCV.ai will process personal data only on documented instructions from Customer, unless required to do otherwise by applicable law.
If TrueFitCV.ai believes an instruction infringes applicable data protection law, it will inform Customer without undue delay.
3. Customer instructions
Customer instructs TrueFitCV.ai to process personal data as necessary to provide the Services, including to ingest, host, structure, organise, normalise, analyse, score, rank, search, filter, synchronise, export, and delete Customer Data in accordance with the Terms, this DPA, the Documentation, and Customer configuration choices.
Customer may provide additional written instructions consistent with the Services. If an instruction requires material additional work or cost, the parties may agree appropriate charges.
TrueFitCV.ai will not sell personal data processed under this DPA and will not use candidate data to create or commercialise any independent shared candidate pool or marketplace unless separately agreed in writing.
4. Details of processing
The subject matter, duration, nature, and purpose of processing, as well as the categories of personal data and data subjects, are described in Annex 1.
Customer is responsible for ensuring that the personal data it submits is adequate, relevant, and limited to what is necessary for its recruitment purposes.
5. Confidentiality
TrueFitCV.ai will ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations, whether contractual or statutory.
Access to personal data will be limited to personnel and subprocessors who need such access for the purposes of providing, securing, and supporting the Services.
6. Security of processing
TrueFitCV.ai will implement and maintain appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.
The measures will take into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, and the risks to individuals.
A description of the current baseline security measures is set out in Annex 2. TrueFitCV.ai may update those measures from time to time provided that the overall level of protection is not materially diminished.
7. Subprocessing
Customer authorises TrueFitCV.ai to engage subprocessors to assist in delivering the Services, provided that TrueFitCV.ai remains responsible for their performance of the relevant processing obligations.
TrueFitCV.ai will maintain an up-to-date list of material subprocessors relevant to the Services and make that list available to Customer on request or through its legal / trust materials.
TrueFitCV.ai will impose data protection obligations on subprocessors that are no less protective than those set out in this DPA, to the extent applicable to the services provided by each subprocessor.
Where Customer reasonably objects to a new subprocessor on data protection grounds, the parties will discuss the objection in good faith. If no reasonable solution is available, Customer may terminate the affected Services on written notice.
8. International transfers
For early-stage operations, the parties intend that personal data processed under this DPA will be hosted in the UK and / or Europe, subject to the relevant Azure and other approved subprocessor configurations.
TrueFitCV.ai will not transfer personal data outside the UK without ensuring that an appropriate transfer mechanism and supplementary measures are in place where required by applicable data protection law.
Where required, the parties will incorporate or rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism.
9. Assistance with data subject rights
Taking into account the nature of the processing, TrueFitCV.ai will provide reasonable assistance to Customer to enable Customer to respond to requests from data subjects exercising their rights under applicable data protection law.
Where TrueFitCV.ai receives a request directly relating to personal data processed for Customer, TrueFitCV.ai will, unless prohibited by law, promptly refer the request to Customer and will not respond substantively except on Customer documented instructions or where required by law.
Customer remains responsible for determining how to respond to any such request and for ensuring that candidates and other data subjects are provided with appropriate privacy information.
10. Assistance with compliance obligations
Taking into account the nature of the processing and the information available to TrueFitCV.ai, TrueFitCV.ai will provide reasonable assistance to Customer with Customer obligations relating to security of processing, personal data breach notifications, data protection impact assessments, and consultations with supervisory authorities, where required by applicable law.
TrueFitCV.ai may charge reasonable fees for assistance that is excessive, repetitive, or outside the normal scope of the Services.
11. Personal data breaches
TrueFitCV.ai will notify Customer without undue delay after becoming aware of a personal data breach affecting personal data processed for Customer under this DPA.
Such notification will include, where reasonably available, information sufficient to assist Customer in meeting any obligations to report or communicate the breach under applicable law.
TrueFitCV.ai will take reasonable steps to identify the cause of the breach, contain its effects, and mitigate adverse consequences.
12. Deletion and return of personal data
Upon termination or expiry of the Services, and subject to any agreed export period, TrueFitCV.ai will delete or return personal data processed under this DPA in accordance with Customer instructions, the Terms, and the ordinary functionality of the Services.
TrueFitCV.ai may retain personal data to the extent required by applicable law, for legitimate backup and disaster recovery cycles, to establish or defend legal claims, or to maintain limited security and audit records.
Customer acknowledges that retention settings may be configurable within the Services, but Customer remains responsible for setting retention rules that align with its recruitment purposes and legal obligations.
13. Information and audit rights
TrueFitCV.ai will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.
Where such information is insufficient, Customer may request an audit or inspection, subject to reasonable notice, confidentiality controls, scope limitations, frequency limits, and non-disruption requirements.
Any audit must be limited to matters directly relevant to this DPA and may be satisfied through recent third-party audit reports, security summaries, certifications, or written responses where appropriate.
Customer will bear its own audit costs and TrueFitCV.ai may charge reasonable costs where an audit is requested more than once in any 12-month period or is otherwise burdensome.
14. Records and cooperation
TrueFitCV.ai will maintain records of processing activities as required by applicable law and will cooperate with competent supervisory authorities where required in relation to processing carried out under this DPA.
TrueFitCV.ai will maintain appropriate internal logging and audit trails relating to access, deletion, synchronisation, security events, and other relevant service operations, taking into account the nature of the Services.
15. Liability
The liability of each party arising out of or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Terms, unless otherwise expressly agreed in an Order Form or addendum.
Nothing in this DPA removes or limits liability to the extent such limitation is prohibited by applicable law.
16. General
This DPA is governed by the same governing law and jurisdiction provisions as the Terms, unless otherwise stated in the Order Form.
If any provision of this DPA is held unenforceable, the remainder will continue in effect.
This DPA may be updated by TrueFitCV.ai from time to time for legal, regulatory, or operational reasons, provided that any material adverse change to Customer protections will not take effect during an active Subscription Term without reasonable notice, unless required by law.
Annex 1 - Details of processing
This Annex describes the processing carried out by TrueFitCV.ai on behalf of Customer in connection with the Services.
Subject matter
Provision of recruitment workflow software to ingest, organise, analyse, score, rank, search, synchronise, export, and delete candidate and recruitment-related data on behalf of Customer.
Duration
For the Subscription Term and any limited post-termination export, deletion, backup, or legal hold period described in the Terms and this DPA.
Nature of processing
Collection, receipt, hosting, storage, organisation, structuring, adaptation, normalisation, retrieval, consultation, scoring, ranking, filtering, synchronisation with Partner Platforms, export, deletion, and destruction
Purpose of processing
To provide the Services for Customer recruitment operations, including candidate matching, role-based scoring, ranking, workflow support, reporting, and integration with ATS / CRM / job board systems.
Job applicants, prospective applicants, candidates, referees where included in application materials, Customer users, and limited contact persons contained within recruitment records.
Names, contact details, CV and employment history, education, qualifications, skills, application materials, salary expectations, job preferences, notes, candidate identifiers, job application metadata, and system-generated outputs such as scores, rankings, and suitability indicators.
Not intentionally required for the early-stage Services. Customer should avoid submitting special category data, criminal offence data, or other highly sensitive data unless strictly necessary, lawful, and separately agreed.
Frequency
Continuous or event-driven processing during the Subscription Term, including inbound application flows and API / integration-based synchronisation from approved Partner Platforms.
Controller instructions summary
Customer supplies or authorises the supply of candidate and recruitment-related personal data to TrueFitCV.ai.
TrueFitCV.ai processes that data only to deliver the Services, maintain security, provide support, and carry out related processor obligations.
TrueFitCV.ai does not use Candidate Data under this DPA to build an independent candidate pool, marketplace, or resale database.
Annex 2 - Security measures summary
The following is a first-pass summary of the technical and organisational measures applied or intended to be applied to the Services. This summary is subject to implementation detail and solicitor review.
Access control
Role-based access controls for internal personnel and Customer users.
Unique user accounts and authentication controls for access to the Services.
Principle of least privilege applied to administrative access where practicable.
Infrastructure and hosting
Hosting on Microsoft Azure enterprise cloud infrastructure.
Segregation between environments where appropriate.
Network and perimeter protections suitable for a SaaS application handling recruitment data.
Encryption
Encryption in transit using current TLS standards.
Encryption at rest for production storage where supported by the relevant Azure services and configurations.
Logging and monitoring
Logging of relevant authentication events, administrative actions, synchronisation events, deletions, and security-relevant activity.
Monitoring and alerting processes appropriate to the scale and maturity of the Services.
Backup and resilience
Backup and disaster recovery measures appropriate to the nature of the Services.
Limited retention of backup copies for resilience and restoration purposes.
Personnel and process controls
Confidentiality obligations for personnel with access to personal data.
Internal procedures for incident handling, access review, and security management.
Vendor management
Due diligence and contractual controls for subprocessors handling personal data.
Subprocessor list maintained and updated as the service stack evolves.
Data minimisation and deletion
Ability to delete or return Customer Data at end of service or on instruction, subject to backup and legal retention exceptions.
Retention settings and deletion workflows to be developed and refined as the product matures.
Annex 3 - Initial subprocessor list
This Annex reflects the currently expected early-stage subprocessor categories based on the information available at drafting date. It should be updated before go-live contracting if additional vendors are engaged.
Open points for solicitor / commercial review
Whether Customer should receive formal notice periods for new subprocessors and, if so, how long.
Whether specific audit report substitutes should be named rather than leaving the audit clause general.
Whether a more explicit retention schedule should be added into the DPA or kept operational in the product and trust materials.
Whether partner-specific addenda are needed for ATS / HR tech integrations that impose additional downstream restrictions on use of imported data.
Whether any express commitments around automated decision support, explainability, or anti-bias review should be added once the product scoring logic is more mature.